CISA Managers’ Substitute Makes Limited Privacy Improvements

The Senate has begun to consider the Cybersecurity Information Sharing Act or CISA (S. 754) on the Senate floor and will do so again next week.  First up is consideration of a Managers’ Substitute for the bill that runs 115 pages and was publicly available for only one business day before it was considered on the floor. It replaces a managers’ amendment released on July 31: it incorporates the changes that amendment made (which we explain here) — some of which are very significant – and it includes some, mostly very modest, additional pro-privacy changes that are derived in part from amendments proffered to the bill. We explain those changes below. It leaves key privacy and security concerns that CDT identified unaddressed or insufficiently addressed. On Thursday, Oct. 22 the Senate voted to advance the Managers’ Substitute, and a final vote on it, and votes on a number of amendments to it, are expected next week.

Here is what is new in the Managers’ Substitute that will impact privacy and civil liberties:

Notice:  The Managers’ Substitute requires that information sharing procedures issued under the bill impose a duty to notify a US person when a Federal entity shares their personally identifiable information (PII) in contravention of the bill.  Usually, this would occur because the Federal entity failed to strip out personally identifiable information from a cyber threat indicator (CTI) before it shared the CTI.  This is a weak tea version of the Wyden amendment, S. Amdt. 2621, which would have required such notice to any person, and would have required such notice when any entity – including private companies and state and local governments – errantly share PII.

Removal of PII:  The bill should require private and governmental entities to remove from CTIs personally identifiable information that is not necessary to describe or identify a cybersecurity threat, and ensure that DHS has the time necessary to remove such information. The Managers’ Substitute does not come close to reaching this goal. It permits delay only when the heads of all “appropriate Federal entities” agree to it. This turns what should be an operational decision made by technicians on the ground who see something wrong and want fix it, into virtually a cabinet-level decision that will never be made. Further, it requires the stripping only of PII not known to be directly related to a cybersecurity threat — a standard so stingy that it will certainly result in the unnecessary sharing of a vast amount of PII. Adoption of the Wyden amendment, S. Amdt. 2621, would fix the standard for PII removal; adoption of the Carper amendment, S. Amdt. 2615, would permit necessary delays.

Reporting:  The bill should require extensive numerical reporting so Congress, and the public, can assess whether it is working, is being abused, is being used for criminal purposes as opposed to cybersecurity, and is resulting in unnecessary sharing of PII. The Tester amendment, S. Amdt. 2632, would have required such reporting, including: the total number of CTIs shared through the automated process envisioned in the bill; an estimate of the number of CTIs shared through other processes; the number of times PII was removed from a CTI before it was shared; the number of times a CTI was used to prevent, investigate, disrupt or prosecute a crime under the bill; and a report of harms caused by the operation of countermeasures authorized under the bill. The Managers’ Substitute draws from the Tester amendment only reporting of the number of notices sent because DHS improperly shared a US person’s PII (failure to send a required notice diminishes the number of instances of improper sharing of PII that are reported), a report of the number of CTIs shared through the automated process, and a report of the number of times CTIs were used to actually prosecute crimes under the bill –– but not the number of times they were used to prevent, disrupt or investigate such crimes.  While the bill requires other reporting, reports of numerical information necessary to assess the information sharing program are not required.

Voluntariness of Information Sharing:  The Mangers’ Substitute incorporates the Flake anti-tasking amendment, S. Amdt. 2580, almost verbatim – this is a modest gain for privacy. CISA bars the Federal government from: (i) requiring a private entity to provide information to the Federal government; (ii) conditioning the sharing of CTIs with an entity based on such entity’s provision of CTIs to the Federal government; or (iii) conditioning the award of any Federal contract or grant on the provision of CTIs to the Federal government. This helps ensure that information sharing under the bill is voluntary, not coerced. The amendment goes a step further by barring the Federal government from requiring a company to share CTIs with a non-federal-government entity, conditioning the sharing of CTIs by the government with a company on that company’s providing CTIs to a non-federal-government entity, and from conditioning the award of any federal grant, contract or purchase on the sharing of CTI’s with a non-federal-government entity.

Einstein:  The Manager’s Substitute incorporates, with minor changes, Senator Carper’s Einstein amendment, S. Amdt. 2627, the Federal Cybersecurity Enhancement Act. The amendment puts on a firmer statutory footing the Einstein intrusion detection and prevention system that DHS has been rolling out to federal agencies for some time. It does this, in part, by making it clear that DHS and contractors it hires to perform intrusion detection and prevention can gain access to any civilian, non-intelligence agency’s data notwithstanding any privacy or other law that would otherwise limit or preclude DHS access.  Such access creates privacy concerns, but they are mitigated to a significant extent by the very strong use restrictions the amendment imposes on DHS and its contractors: information they obtained through Einstein activities can be retained, used and disclosed only to protect information and information systems from cybersecurity risks. For example, if Einstein activities resulted in disclosure to DHS of information about drug offenders in a Department of Health and Human Services database, DHS could not share this information with the FBI, and it could not be used to prosecute drug offenses. This is a good thing: without the use restrictions, such information could not be collected and used for treatment.

On the other hand, the Einstein amendment includes emergency authorities that seem overbroad. When DHS determines that a known or “reasonably suspected” information security threat or vulnerability represents a substantial threat to the information security of an agency, the bill gives the Secretary of DHS authority to issue an emergency directive to the head of the agency directing such agency to take “any lawful action” for purposes of protecting the system from the threat. This means, for example, that DHS could direct the Department of Justice to delete data in its criminal justice data base, or take its network off line, even if the Attorney General and the technicians responsible for maintaining and securing the network disagreed with the DHS about the proper course of action to take. DHS could issue this directive in the absence of a cybersecurity incident; a threat or vulnerability would be enough to trigger exercise of this authority. DHS could even issue such directives with respect to systems owned and operated by private companies on behalf of the agency.  This seems problematic and overbroad.

The Managers’ Substitute includes other amendments to the bill, but they do not have significant privacy implications.